Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE...
Transcript of Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE...
![Page 1: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/1.jpg)
Mobile Platform SecurityTrusted Execution Environments
N. AsokanAalto University and University of Helsinki
Jointly prepared with: Jan-Erik Ekberg, Trustonic
Kari Kostiainen, ETH Zurich
![Page 2: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/2.jpg)
2
What is a TEE?
Execution Environment
![Page 3: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/3.jpg)
3
What is a TEE?
Execution Environment
Isolated and integrity-protected
Processor, memory, storage, peripherals
From the “normal” execution environment (Rich Execution Environment)
Chances are that:You have devices with hardware-based TEEs in them!But you probably don’t have (m)any apps using them
Trusted
![Page 4: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/4.jpg)
4
Outline
• A look back – Why do mobile devices have TEEs?
• Mobile hardware security – What constitutes a TEE?
• Application development – Mobile hardware security APIs
• Current standardization – UEFI, NIST, Global Platform
• Current standardization: TCG– TPM1.2 and TPM 2.0 extended authorization model
• A look ahead – Challenges and summary
![Page 5: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/5.jpg)
A LOOK BACKWhy do most mobile devices today have TEEs?
![Page 6: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/6.jpg)
6
Platform security for mobile devices
Regulators1. RF type approval secure storage2. Theft deterrence immutable ID3. …
Mobile network operators1. Subsidy locks immutable ID2. Copy protection device
authentication, app separation3. …
End users1. Reliability app separation2. Theft deterrence immutable ID3. Privacy app separation4. …
Closed openDifferent expectations compared to PCs
![Page 7: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/7.jpg)
7
Early adoption of platform security
GSM 02.09, 1993
3GPP TS 42.009, 2001
~2001 ~2002 ~2005 ~2008
Different starting points compared to PCs:Widespread use of hardware and software platform security
![Page 8: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/8.jpg)
8
Historical perspective
Cambridge CAP
1970 1980 1990 2000 2010
Reference monitor
Protection rings
VAX/VMS
Java security architecture
Hardware-assisted secure boot
Trusted Platform Module (TPM)
Late launch
Computer securitySmart card securityMobile security
Mobile hardware security architectures
TI M-Shield
ARM TrustZone
Mobile OS security architectures
Mobile Trusted Module (MTM)
Simple smart cards
Java Card platform
TPM 2.0
Intel SGX
GP TEE standards
TPM Mobile
On-board Credentials
First part
Second part
NIST
![Page 9: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/9.jpg)
MOBILE HARDWARE SECURITYWhat constitutes a TEE?
![Page 10: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/10.jpg)
10
1. Platform integrity
2. Secure storage
3. Isolated execution
4. Device identification
5. Device authentication
TEE overview
Platform integrity
Device certificate
Boot sequence
Device identification
Secure storage and isolated execution
Cryptographic mechanisms
Deviceauthentication
Base identity
Verification root
Device key
Identity
Public device key
Trusted application
TEE mgmtlayer
Non-volatile memory
Volatile memory
App
Mobile OS
REE
App
TEE mgmt layer
Trusted app
Trusted app
TEE
Mobile device hardware
More information in the 2014 IEEE S&P article
![Page 11: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/11.jpg)
11
Secure boot vs. authenticated boot
Secure boot
Firmware
OS Kernel checker
pass/failBoot block
pass/fail
checker
checker
hash()
hash()
Authenticated boot
Firmware
Boot block
OS Kernel measurer
measurer
measurer state
hash()
hash()
aggregated hash
pass/fail
Why? Start any configurationState can be:- bound to stored secrets (sealing) or resources- reported to external verifier (remote attestation)
Why?Start only known trusted configurations , but remember the state
![Page 12: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/12.jpg)
12
Platform integrity
TEE code
Platform integrity
Launch boot code
Boot sequence
Trust anchor (Code)
Legend
External certificate
Trust anchor (Hardware)
Volatile memory
Boot code certificate
Boot code hash
Verification root
Mobile device hardware TCB
Device key
Non-volatile
memory
Device identification
Base identity
Trusted Application
(TA)
TEE management
Secure storage and isolated execution
Device manufacturer public key: PKM
Cryptographic mechanisms
Signature verification algorithm
Certified by device manufacturer: SigSKM
(H(boot code))
Stores measurements for authenticated boot
![Page 13: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/13.jpg)
13
Volatile memory
Verification root
Secure storage
TEE code
Secure storage
Mobile device hardware TCB
Trust anchor (Code)
Legend
External certificate
Trust anchor (Hardware)
Device key KD
Non-volatile
memory
Cryptographic mechanisms
Device identification
Base identity
Trusted Application
(TA)
TEE management
Platform integrity
Boot sequence
Protected memory
Encryption algorithm
Rollback protection
Insecure Storage
Sealed-data = AuthEncKD(data | ...)
![Page 14: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/14.jpg)
14
Isolated execution
TEE code
Secure storage and isolated execution
Mobile device hardware TCB
Trust anchor (Code)
Legend
External certificate
Trust anchor (Hardware)
Trusted Application
(TA)
Cryptographic mechanisms
Volatile memory
Verification root
TEE management
TA code certificate
TA code hash
Device key KD
Non-volatile
memory
TEE Entry from Rich Execution Environment
Boot sequence
Platform integrity
Base identity
Device identification
Controls TA execution
Certified by device manufacturer
![Page 15: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/15.jpg)
15
Device identification
TEE code
Mobile device hardware TCB
Trust anchor (Code)
Legend
External certificate
Trust anchor (Hardware)
Cryptographic mechanisms
Verification root
Identity certificate
Assigned identity
Device identification
Base identity
Base identity
Platform integrity
Boot sequence
Volatile memory Device key KD
Non-volatile
memory
Trusted Application
(TA)
TEE management
Secure storage and isolated execution
One fixed device identity
Multiple assigned identities (Certified by device manufacturer)
![Page 16: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/16.jpg)
16
Verification root
Device authentication (and remote attestation)
TEE code
Mobile device hardware TCB
Trust anchor (Code)
Legend
External certificate
Trust anchor (Hardware)
Cryptographic mechanisms
Device certificate
Device public key PKD
Device authentication
Identity
Device key KD
External trust root
Volatile memory
Boot sequence
Platform integrity
Non-volatile
memory
Trusted Application
(TA)
TEE management
Secure storage and isolated execution
Issued by device manufacturer
Used to protect/derive signature key
Sign system state in remote attestation
![Page 17: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/17.jpg)
17
1. Platform integrity– Secure boot
– Authenticated boot
Hardware security mechanisms (recap)
TEE code
Platform integrity
TEE Entry from Rich Execution Environment
Identity certificate
Device certificate
Launch boot code
Boot code certificate TA code certificate
Boot sequence
Device identification
Secure storage and isolated execution
Cryptographic mechanisms
Mobile device hardware TCB
Deviceauthentication
Trust anchor (Code)
Legend
External certificate
Trust anchor (Hardware)
Base identity
Verification root
External trust root
Device key KD
Base identity
Assigned identity
Boot code hash TA code hash
Identity
Device pub. key PKD
Trusted application
TEE mgmtlayer
Non-volatile memory
Volatile memory
2. Secure storage
3. Isolated execution
– Trusted Execution Environment (TEE)
4. Device identification
5. Device authentication
– Remote attestation
![Page 18: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/18.jpg)
18
Device
TEE entry
App
Device OS
Rich execution environment (REE)
App
TEE management layer
Trusted app
Trusted app
TEE API
Trusted execution environment (TEE)
Device hardware and firmware with TEE support
TEE system architecture
Architectures with single TEE
• ARM TrustZone
• TI M-Shield
• Smart card
• Crypto co-processor
• Trusted Platform Module (TPM)
Architectures with multiple TEEs
• Intel SGX
• TPM (and “Late Launch”)
• Hypervisor
Figure adapted from: Global Platform. TEE system architecture. 2011.
![Page 19: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/19.jpg)
19
External Security Co-processor
External Secure Element(TPM, smart card)
TEE component
On-SoC
RAM ROM
OTP Fields
External Peripherals
Processor core(s)
Off-chip memory
TEE hardware realization alternatives
Figure adapted from: Global Platform. TEE system architecture. 2011.
Internal peripherals
RAM ROM
OTP Fields
External Peripherals
Processor core(s)
Off-chip Memory
Internal peripherals
Embedded Secure Element(smart card)
On-chip Security Subsystem
On-SoC
Processor Secure Environment(TrustZone, M-Shield)
On-SoC
RAM ROM
OTP Fields
External Peripherals
Processor core(s)
Off-chip Memory
Internal peripherals
Legend:SoC : system-on-chipOTP: one-time programmable
![Page 20: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/20.jpg)
20
ARM TrustZone architecture
TEE entry
App
Mobile OS
Normal world (REE)
App
Trusted OS
Trusted app
Trusted app
Secure world (TEE)
Device hardware
TrustZone system architecture
SoC internal bus (carries status flag)
Main CPUModem
Peripherals (touchscreen, USB, NFC…)
Memory controller
Memory controller
Off-chip/main memory (DDR)
System on chip (SoC)
Boot ROM
Access control hardware
On-chip memory
Access control hardware
Access control hardware
TrustZone hardware architecture
Interrupt controller
Secure World and Normal World
![Page 21: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/21.jpg)
21
TrustZone overviewSecure World (SW)Normal World (NW)
User mode
Supervisor Supervisor
User User
SCR.NS=1
Boot sequence
Monitor
Secure Monitor call (SMC)
SCR.NS=0
SCR.NS := 1
Privileged mode
TZ-aware MMU
SW RWNW NA
SW RONW WO
SW RWNW RW
physical address range
Address space controllers
On-chip ROM On-chip RAM Main memory
Legend:MMU: memory management unit
SCR.NS := 0
![Page 22: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/22.jpg)
22
TrustZone example (1/2)
Secure World Supervisor
Boot vector
1. Boot begins in Secure World Supervisor mode (set access control)
4. Prepare for Normal World boot
Secure World Supervisor
3. Configure address controller (protect on-chip memory)
Secure World Supervisor
2. Copy code and derive keys from on-chip ROM to on-chip RAM
Secure World Supervisor
On-chip ROM
On-chip RAM
Main memory (DDR)
SW RWNW NA
SW RWNW NA
SW RWNW NA
code (trusted OS)device key SW NA
NW NA
SW RWNW RW
code (boot loader)
![Page 23: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/23.jpg)
23
TrustZone example (2/2)
5. Jump to Normal World Supervisor for traditional boot
Secure World Supervisor Normal World
Supervisor
An ordinary boot follows: Set up MMU, load OS, drivers…
6. Set up trusted application execution
Supervisor
Normal World User
Secure World Monitor
Normal World Supervisor
SMC, SCR.NS0
7. Execute trusted application
On-chip ROM
On-chip RAM
Main memory (DDR)
SW NANW NA
SW RWNW NA
SW RWNW RW
trusted app and parameters
SCR.NS1
![Page 24: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/24.jpg)
24
Mobile TEE deployment
• TrustZone support available in majority of current smartphones
• Mainly used for manufacturer internal purposes
– Digital rights management, Subsidy lock…
• APIs for developers?
TEE entry
App
Mobile OS
Normal world
App
Trusted OS
Trusted app
Trusted app
Secure world
Smartphone hardware
![Page 25: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/25.jpg)
APPLICATION DEVELOPMENTMobile hardware security APIs
![Page 26: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/26.jpg)
26
Mobile hardware security APIs
JSR 177 PKCS #11
1. Secure element APIs: (smart cards)
2. Mobile hardware key stores:
iOS Key Store Android Key Store
Trustonic <t-base API
3. Programmable TEE “credential platforms”:
On-board Credentials
![Page 27: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/27.jpg)
27
Android Key Store API
// create RSA key pair
Context ctx;
KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx);
spec.setAlias(”key1")
…
spec.build();
KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
gen.initialize(spec);
KeyPair kp = gen.generateKeyPair();
// use private key for signing
AndroidRsaEngine rsa = new AndroidRsaEngine("key1", true);
PSSSigner signer = new PSSSigner(rsa, …);
signer.init(true, …);
signer.update(signedData, 0, signedData.length);
byte[] signature = signer.generateSignature();
Android Key Store example
Elenkov. Credential storage enhancements in Android 4.3. 2013.
![Page 28: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/28.jpg)
28
Example Android Key Store implementation
TEE entry
Android app
Android OS
Normal world
Android app
Qualcomm Secure Execution Environment
(QSEE)
Java Cryptography Extensions (JCE)
Secure world
ARM with TrustZone
Keymaster Trusted app
Android device
libQSEEcomAPI.so
Selected devices
• Android 4.3
• Nexus 4, Nexus 7
Keymaster operations
• GENERATE_KEYPAIR
• IMPORT_KEYPAIR
• SIGN_DATA
• VERIFY_DATA
Persistent storage on Normal World
Elenkov. Credential storage enhancements in Android 4.3. 2013.
![Page 29: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/29.jpg)
29
Android Key Store
• Only predefined operations– Signatures– Encryption/decryption
• Global Platform is standardizing TEE APIs
• Developers cannot utilize programmability of mobile TEEs– Not possible to run arbitrary trusted applications– (Same limitations hold for hardware protected iOS key store)
• Different API abstraction and architecture needed…• Example: On-board Credentials
Skip ObC
![Page 30: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/30.jpg)
30
On-board Credentials goal
??
Secure yet inexpensive
An open credential platform that enables existing mobile TEEs
![Page 31: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/31.jpg)
31
On-board Credentials (ObC) architecture
Mobile device
Driver
App
Mobile OS
Rich execution environment (REE)
App
Mobile device hardware with TEE support
ObC InterpreterObC scheduler
Trusted app dynamic state
Trusted app persistent store
I/O dataInterpreted codeInterpreter state
Loaded trusted app
ObC APIProvisioning, execution, sealing
Trusted execution environment (TEE)
Ekberg. Securing Software Architectures for Trusted Processor Environments. Dissertation, Aalto University 2013.Kostiainen. On-board Credentials: An Open Credential Platform for Mobile Devices. Dissertation, Aalto University 2012.
![Page 32: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/32.jpg)
32
Centralized provisioning vs. open provisioning
Centralized provisioning(smart card)
Central authority
Service provider
Service user device
Service provider Service provider
Service user device
Service provider Service provider Service provider
Open provisioning(On-board Credentials)
![Page 33: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/33.jpg)
33
Open provisioning model
1. Certified device key + user authenticationPK
User deviceService provider
2. Provision new familyEnc(PK, FK) establish new security
domain (family)
4. Provision trusted applicationsAuthEnc(FK, hash(app)) + app
3. Provision new secretsAuthEnc(FK, secret)
Certified device keyPK
Pick new ‘family key’ FKEncrypt family key Enc(PK, FK)
Authorize trusted applicationsAuthEnc(FK, hash(app)) install trusted apps,
grant access to secrets
Encrypt and authenticate secretsAuthEnc(FK, secret) install secrets, associate
them to family
Principle of same-origin policy
Kostiainen, Ekberg, Asokan and Rantala. On-board Credentials with Open Provisioning. ASIACCS 2009.
Skip to App. Development summary
![Page 34: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/34.jpg)
34
• Trusted application development
– BASIC like scripting language
– Common crypto primitives available (RSA, AES, SHA)
• REE application counterpart
– Standard smartphone app (Windows Phone)
– ObC API: provisioning, trusted application execution
rem --- Quote operation
if mode == MODE_QUOTE
read_array(IO_SEALED_RW, 2, pcr_10)
read_array(IO_PLAIN_RW, 3, ext_nonce)
rem --- Create TPM_PCR_COMPOSITE
pcr_composite[0] = 0x0002 rem --- sizeOfSelect=2
pcr_composite[1] = 0x0004 rem --- PCR 10 selected (00 04)
pcr_composite[2] = 0x0000 rem --- PCR selection size 20
pcr_composite[3] = 0x0014
append_array(pcr_composite, pcr_10)
sha1(composite_hash, pcr_composite)
rem --- Create TPM_QUOTE_INFO
quote_info[0] = 0x0101 rem --- version (major/minor)
quote_info[1] = 0x0000 rem --- (revMajor/Minor)
quote_info[2] = 0x5155 rem --- fixed (`Q' and `U')
quote_info[3] = 0x4F54 rem --- fixed (`O' and `T')
append_array(quote_info, composite_hash)
append_array(quote_info, ext_nonce)
write_array(IO_PLAIN_RW, 1, pcr_composite)
rem --- Hash QUOTE_INFO for MirrorLink PA signing
sha1(quote_hash, quote_info)
write_array(IO_PLAIN_RW, 2, quote_hash)
On-board Credentials development
ObC trusted application extract
// install provisioned credential
secret = obc.InstallSecret(provSecret)
app = obc.InstallApp(provApplication)
credential = obc.CreateCredential(secret,
app, authData)
// run installed credential
output = obc.RunCredential(credential, input)
ObC counterpart application pseudo code
Service provider
![Page 35: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/35.jpg)
35
Example application: MirrorLink attestation
• MirrorLink system enables smartphone services in automotive context
• Car head-unit needs to enforce driver distraction regulations
• Attestation protocol– Defined using TPM structures (part of MirrorLink standard)
– Implemented as On-board Credentials trusted application (deployed to Nokia devices)
http://www.mirrorlink.com
Kostiainen, Asokan and Ekberg. Practical Property-Based Attestation on Mobile Devices. TRUST 2011.
Car head-unit
1. Attestation request
2. Attestation response
3. Enforce driver distraction regulations
Smartphone (with ObC)
![Page 36: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/36.jpg)
36
sig
Attestation protocol
TEEAttestation
serviceAttested
application
n
Verifier
Attest(n, p, PKA)
Attest(n, p || Hash(PKA))
sig, CertD p, sig, CertD, PKA
Check application identifierVerify property p
sig Sign(SKD, n || p || Hash(PKA))
Pick random nonce n
appData, appSig
Verify CertD and sigCheck property p
Save PKA
appSig Sign(SKA, appData)
Verify appSig
Application Identifier
Property
App1 P1, P2
App2 P3
… …
Pick property p to attest
Kostiainen, Asokan and Ekberg. Practical Property-Based Attestation on Mobile Devices. TRUST 2011.
![Page 37: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/37.jpg)
37
TEE Use Cases
• Mobile ticketing with NFC phones and TEE• Offline terminals at public transport stations
• Mobile devices with periodic connectivity
Such use case requires ticketing protocol with state keeping (authenticated counters)
• 110 traveler trial in New York (summer 2012)• Implemented as On-board Credentials trusted application
Example application: Public transport ticketing
Ekberg and Tamrakar. Tapping and Tripping with NFC. TRUST 2013
Offline terminal
Transport authoritysystem
Accountingsystem
Online terminal
Transaction evidence (authenticated counter)
![Page 38: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/38.jpg)
Transport ticketing protocol
38
REE
TEE
“Read”: CHALL, d
ctr, ack, Sigk(id, ctr)SigX(“READ”, CHALL, d, ctr-ack, Sigk(id, ctr-d))
Command 1: Read card state andcounter commitment
“Increment”: CHALL
ctr, SigX(“INCR”, CHALL, ctr) Command 2: Sign and increment ctr++
Operation
(none)
Command 3: Release commitment ack := ctrN
“Release”: ctrN, Sigk2(idN, ctrN)
“OK/Fail”
“Sign”: CHALL
SigX(“SIGN”, CHALL) Command 4: Sign challenge(none)
Authenticated counters implemented as an ObC program
Ekberg and Tamrakar. Tapping and Tripping with NFC. TRUST 2013
![Page 39: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/39.jpg)
39
Application development summary
• Mobile TEEs previously used mainly for internal purposes– DRM, subsidy lock
• Currently available third-party APIs enable only limited functionality– Signatures, decryption
– Android key store
– iOS key store
• Programmable TEE platforms– On-board Credentials
– Demonstrates that mobile TEEs can be safely
opened for developers
TEE entry
App
Mobile OS
REE
App
Trusted OS
Trusted app
Trusted app
TEE
Device hardware
Mobile device
![Page 40: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/40.jpg)
STANDARDIZATIONUEFI, NIST, Global Platform, Trusted Computing Group
![Page 41: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/41.jpg)
41
TEE standards and specifications
- First versions of standards already out- Goal: easier development and better interoperability
TEE entry
App
Mobile OS
REE
App
Trusted OS
Trusted app
Trusted app
TEE
Device hardware Secure Boot
REE app API
TEE app API
TEE environment
Hardware trust roots
Skip to Global Platform
![Page 42: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/42.jpg)
UEFISecure Boot
![Page 43: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/43.jpg)
43
Firmware init
EFI applications
EFI drivers
Device setup (example: TrustZone)
Driver firmware setup
EFI driversEFI driversEFI OS loaders Boot loaders
OS
UEFI –boot principle
Unified Extensible Firmware Interface SpecificationNyström et al: UEFI Networking and Pre-OS security (2011)
pass/fail
pass/fail
• UEFI standard intended as replacement for old BIOS • Secure boot an optional feature
![Page 44: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/44.jpg)
44
Platform Key (Pub/Priv)
Key Exchange Keys
Platform FirmwareKey Storage
tamper-resistantupdates governed by
platform key
Image Information Tablehashname, path Initialized / rejected
Successful &failedauthorizations
Key management for update
(ref: UEFI spec)
Signature Database (s)
Keys allowed toupdate
tamper-resistant (rollback prevention) updates governed by keys
White list + Black list for database images
UEFI – secure boot
![Page 45: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/45.jpg)
UEFI secure boot
• Thus far primarily used in PC platforms– Also applicable to mobile devices
• Can be used to limit user choice?– The specification defines user disabling
– Policy vs. mechanism
![Page 46: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/46.jpg)
NISTHardware-based Trust Roots for Mobile Devices
![Page 47: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/47.jpg)
47
Required security components are
a) Roots of Trust (RoT)
b) an application programming interface (API) to expose the RoT to the platform
“RoTs are preferably implemented in hardware”
“the APIs should be standardized”
Guidelines on Hardware-RootedSecurity in Mobile Devices (SP800-164, draft)
![Page 48: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/48.jpg)
48
Root of Trust for Storage (RTS): repository and aprotected interface to store and manage keying material
Root of Trust for Measurement (RTM): reliable measurements and assertions
Root of Trust for Verification (RTV): engine to verify digital signatures associated with software/firmware
Root of Trust for Integrity (RTI): run-time protected storagefor measurements and assertions
Root of Trust for Reporting (RTR): environment to manage identities and sign assertions
Roots of Trust (RoTs)
![Page 49: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/49.jpg)
49
Root of Trust mapping
Platform integrity
Device certificate
Boot sequence
Device identification
Secure storage and isolated execution
Cryptographic mechanisms
Deviceauthentication
Base identity
Verification root
Device key
Identity
Public device key
Trusted application
TEE mgmtlayer
Non-volatile memory
Volatile memory
RoT StorageRoT Verification
RoT Integrity RoT ReportingRoT Measurement
![Page 50: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/50.jpg)
GLOBAL PLATFORMTrusted Execution Environment (TEE) specifications
![Page 51: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/51.jpg)
52
GP standards for smart card systems used many years• Examples: payment, ticketing• Card interaction and provisioning protocols• Reader terminal architecture and certification
Recently GP has released standards for mobile TEEs• Architecture and interfaces
http://www.globalplatform.org/specificationsdevice.asp- TEE System Architecture- TEE Client API Specification v.1.0- TEE Internal Core API Specification v1.1- Trusted User Interface API v 1.0
Global Platform (GP)
![Page 52: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/52.jpg)
Isolationboundary TEE
Trusted Operating System
Secure Storage Crypto I/O RPC
TEE Internal Core API v.1.1
TrustedApplication
Rich Execution Environment OS
TEE Client API v.1.0
Application
Trusted User Interface API v.1.0
REE
TEE Driver
GP TEE System Architecture
![Page 53: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/53.jpg)
Isolationboundary TEE
Trusted Operating System
Secure Storage Crypto I/O RPC
TEE Internal Core API v.1.1
TrustedApplication
Rich Execution Environment OS
TEE Client API v.1.0
Trusted User Interface API v.1.0
REE
TEE Driver
Interaction with Trusted Application
Application
1
2
REE App provides a pointer to its memory for the Trusted App• Example: Efficient in place encryption
![Page 54: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/54.jpg)
55
// 1. initialize context
TEEC_InitializeContext(&context, …);
// 2. establish shared memory
sm.size = 20;
sm.flags = TEEC_MEM_INPUT | TEEC_MEM_OUTPUT;
TEEC_AllocateSharedMemory(&context, &sm);
// 3. open communication session
TEEC_OpenSession(&context, &session, …);
// 4. setup parameters
operation.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INPUT, …);
operation.params[0].value.a = 1; // First parameter by value
operation.params[1].memref.parent = &sm; // Second parameter by reference
operation.params[1].memref.offset = 0;
operation.params[1].memref.size = 20;
// 5. invoke command
result = TEEC_InvokeCommand(&session, CMD_ENCRYPT_INIT, &operation, NULL);
TEE Client API example
D2 Val:1CMD
Ref
N/A
N/A
Parameters:
![Page 55: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/55.jpg)
56
// each Trusted App must implement the following functions…
// constructor and destructor
TA_CreateEntryPoint();
TA_DestroyEntryPoint();
// new session handling
TA_OpenSessionEntryPoint(uint32_t param_types, TEE_Param params[4], void **session)
TA_CloseSessionEntryPoint (…)
// incoming command handling
TA_InvokeCommandEntryPoint(void *session, uint32_t cmd,
uint32_t param_types, TEE_Param params[4])
{
switch(cmd)
{
case CMD_ENCRYPT_INIT:
....
}
}
TEE Internal API example
In Global Platform model Trusted Applications are command-driven
![Page 56: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/56.jpg)
57
RPC: Communication with other TAs
Secure storage: Trusted App can persistently store memory and objects
Storage and RPC (TEE internal API)
TEE_CreatePersistentObject(TEE_STORAGE_PRIVATE, flags, ..., handle)
TEE_ReadObjectData(handle, buffer, size, count);
TEE_WriteObjectData(handle, buffer, size);
TEE_SeekObjectData(handle, offset, ref);
TEE_TruncateObjectData(handle, size);
TEE_OpenTASession(TEE_UUID* destination, …, paramTypes, params[4], &session);
TEE_InvokeTACommand(session, …, commandId, paramTypes, params[4]);
Also APIs for crypto, time, and arithmetic operations…
![Page 57: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/57.jpg)
58
Trusted User Interface API
• Trustworthy user interaction needed
– Provisioning
– User authentication
– Transaction confirmation
• Trusted User Interface API 1.0:
– TEE_TUIDisplayScreen
TEE entry
App
Mobile OS
REE
App
Trusted OS
Trusted app
Trusted app
TEE
Smartphone hardware
![Page 58: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/58.jpg)
59
GP device committee is working on a TEE provisioning specification
User-centric provisioning white paper
Global Platform User-centric provisioning
tokenprovider
user service provider
servicemanager
![Page 59: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/59.jpg)
GP standards summary
• Specifications provide sufficient basis for TA development
• Issues– Application installation (provisioning) model not yet defined
– Access to TEE typically controlled by the manufacturer
– User interaction
• Open TEE– Virtual TEE platform for prototyping and testing
– Implements GP TEE interfaces
– http://open-tee.github.io/
http://www.theregister.co.uk/2015/06/30/opentee_an_open_virtual_trusted_execution_environment/
![Page 60: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/60.jpg)
TRUSTED COMPUTING GROUPTPM 1.2 and TPM 2.0 EA
![Page 61: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/61.jpg)
64
Trusted Platform Module (TPM)
• Stores collected state information about a system
• separate from system on which it reports
• For remote parties
• Remote attestation in well-defined manner
• Authorization for functionality provided by the TPM
• Locally
• Generation and use of TPM-resident keys
• Sealing: Secure binding with non-volatile storage
• Engine for cryptographic operations
![Page 62: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/62.jpg)
65
• An enforcer for services outside the TPM
• An eavesdropping channel for remote monitoring
Secure Boot + (TEE OR TPM)can be used as a control mechanism(can protect or violate user privacy)
A TPM is NOT
HOWEVER
![Page 63: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/63.jpg)
66
RTM
Code 1measure m1send m1 to TPMlaunch code 1
Code 2measure m2send m2 to TPMlaunch code 2
Code 3measure m3send m3 to TPMlaunch code 3
…
Integrity-protected registers in volatile memory represent current system configuration
Store aggregated platform ”state” measurement a given state reached ONLY via the correct extension sequence Requires a root of trust for measurement (RTM)
Platform Configuration Registers (PCRs)
Authenticated boot
Hnew=H(Hold | new)
H0= 0H3=H (H (H (0|m1) |m2)|m3)
state
![Page 64: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/64.jpg)
67
Use of platform measurements (1/2)
Remote attestation– verifier sends a challenge
– attestation is SIGAIK(challenge, PCRvalue)
– AIK is a unique key specific to that TPM
(“Attestation Identity Key”)
– attests to current system configuration
![Page 65: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/65.jpg)
68
Use of platform measurements (2/2)
Sealing– bind secret data to a specific configuration
– E.g.,: Create RSA key pair PK/SK when PCRX value is Y
– Bind private key: EncSRK(SK, PCRX=Y)– SRK is known only to the TPM (cf. “device key” KD)
– “Storage Root Key”
– TPM will “unseal” key only if PCRX value is Y– Y is the “reference value”
![Page 66: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/66.jpg)
TPM Mobile (Mobile Trusted Module)
A TPM profile for Mobile devices that adds mechanisms for
• Adaptation to TEEs:
– New roots of trust definitions and requirements
• Multi-Stakeholder Model (MSM):
– ”Certified boot”: Secure boot with TCG authorizations
• Reference Integrity Metric (RIM) certificates:– ”if PCRX matches reference, extend PCRY by target”
![Page 67: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/67.jpg)
RIM Certificate
“If PCRX has value Hold, extend PCRY
(from 0) by vnew
PCRY
PCRX
Hold
H(0|vnew)
verification key
1. Verify
2. Update
![Page 68: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/68.jpg)
TPM authorization
• Authorization essential for access to sensitive TPM services/resources.
• TPMs have awareness of system state (cf., removable smartcards)
![Page 69: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/69.jpg)
76
Authorization (policy) in TPM 1.2
TPM 1.2
System
System
state info
External auth (e.g. password) Object (e.g. key)
Object invocation
Object authorization
Reference values:
”PCR selection”
authData
![Page 70: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/70.jpg)
77
TPM 2.0
‹ More expressive policy definition model
‹ Various policy preconditions
‹ Logical operations (AND, OR)
‹ A policy session accumulates all authorization information
![Page 71: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/71.jpg)
78
Authorization (policy) in TPM 2.0
TPM 2.0
Object (e.g. key)
System
System
state info
Object invocation
Object authorization
Other
TPM objs
policySession: policyDigest
Reference values:
authPolicyauthValue
External authorization:signaturespasswords
Commands to include some
part of TPM 2.0 (system)
state in policy validation
Checks:- policyDigest == authPolicy?- deferred checks succeed?
- command == X?- PCR 1 Y == Z?
![Page 72: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/72.jpg)
Authorization Policy Example
• Allow app A (and no other app) to use a TPM-protected RSA keypair k1
– Only when a certain OS is in use
• Assume that
– When right OS is used, PCR 1 = mOS
– When app A in foreground, PCR 2 = mA
![Page 73: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/73.jpg)
80
Enforcing the example policy
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
policySessionpolicyDigest
authPolicy
PCR 1: mOS
PCR 2: mA
k1: (private) decryption keyRSA_Decrypt (k1, c)
v11 <- … some TPM2_policyCommand …
v12 <- … some TPM2_policyCommand …
v13 <- … some TPM2_policyCommand …
RSA_Decrypt(k1, c)
Command sequence
Checks:- policyDigest == authPolicy?- deferred checks succeed?
- command == RSA_Decrypt?- PCR 1 == mOS?- PCR 2 == mA?
![Page 74: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/74.jpg)
82
TPM2 Policy Session Contents
‹ Contains accumulated session policy value: policyDigest
newDigestValue := H(oldDigestValue || commandCode || state_info )
‹ Some policy commands reset the value
IF condition THEN newDigestValue := H( 0 || commandCode
|| state_info )
‹ Can contain optional assertions for deferred policy checks to be made at object access time.
policyDigest
Deferred checks:- PCRs changed- Applied command- Command locality
policySession
![Page 75: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/75.jpg)
83
TPM2 Policy Command Examples
‹ TPM2_PolicyPCR: Include PCR values in the authorization
update policyDigest with [pcr index, pcr value]
newDigest := H(oldDigest || TPM_CC_PolicyPCR || pcrs || digestTPM)
‹ TPM2_PolicyNV: Include a reference value and operation (<, >, eq) for non-volatile memory area
e.g., if counter5 > 2 then update policyDigest with [ref, op, mem.area]
newDigest := H(oldDigest || TPM_CC_PolicyNV || args || nvIndex->Name)
![Page 76: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/76.jpg)
84
TPM2 Deferred Policy Example
‹ TPM2_PolicyCommandCode: Include command code for later checking during ”object invocation” operation:
update policyDigest with [command code]
newDigest := H(oldDigest || TPM_CC_PolicyCommandCode || code)
additionally save policySession->commandCode := command code
policySession->commandCode checked at the time of object invocation!
![Page 77: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/77.jpg)
85
Policy disjunction
TPM2_PolicyOR: Authorize one of several options:Input: List of digest values <D1, D2, D3, .. >
IF policySession->policyDigest in List THENnewDigest := H(0 || TPM2_CC_PolicyOR || List)
Reasoning: For a wrong digest Dx (not in <D1 D2 D3>) difficult to find List2 = <Dx Dy, Dz, .. >
such that H(List) == H(List2)
policyDigest
D1 D2 D3
H(.)
newDigestH (...|D1|D2|D3)
policyDigestDx
(Failing OR)
(Successful OR)
D1 D2 D3
Dx
![Page 78: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/78.jpg)
86
Policy conjunction
‹ No explicit AND command
‹ AND achieved by consecutive authorization commands order dependence
policyDigest
H(.)
PolicyCommandCode
D1 D2
Theoretical example: Use an OR to hide theorder dependence of an AND
PolicyPCR
policyDigest
PolicyPCR
PolicyCommandCode
![Page 79: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/79.jpg)
87
External Authorization
TPM2_PolicyAuthorize: Validate a signature on a policyDigest:
IF signature validates AND policySession->policyDigest in signed content THEN
newDigest := H(0 || TPM2_CC_PolicyAuthorize|| H(pub)|| ..)
pub
policyDigest
TPM2_PolicyAuthorize
priv
TPM2 +policySession
H (...|pub)
Z
Z
signature
![Page 80: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/80.jpg)
Let’s try this out: example 1
• Developer D – Has TPM2-protected keypair k1 and Application A
– Wants only A can use k1 via • TPM2_RSA_Decrypt (key, ciphertext)
• Assume that– OS measured into PCR1 (if correct OS: PCR1 =
mOS)
– Foreground app into PCR2 (if A: PCR2 = mA)
• What should authPolicy of k1 be?
![Page 81: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/81.jpg)
89
Example 1
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
policySessionpolicyDigest
authPolicy
PCR 1: mOS
PCR 2: mA
k1: private decryption keyRSA_Decrypt (k1, c)
v11 <- PolicyPCR(1, mOS) // v11 = h (0 || PolicyPCR || 1 || mOS)
v12 <- PolicyPCR(2, mA)// v12 = h (v11 || PolicyPCR || 2 || mA)
v13 <- PolicyCommandCode(RSA_Decrypt)// v13 = h (v12 || PolicyCommandCode || RSA_Decrypt)
RSA_Decrypt(k1, c)
Command sequence
Two checks:- policyDigest == authPolicy?- deferred checks succeed?
- command == RSA_Decrypt?- PCR 1 == mOS?- PCR 2 == mA?
NOTE: We drop “TPM2_” and “TPM_” prefixes for simplicity…
![Page 82: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/82.jpg)
Example 2
• What if D wants to authorize app A (PCR2=mA) or app A’ (PCR2=mA’)
![Page 83: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/83.jpg)
91
Example 2
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA
k1: private decryption keyRSA_Decrypt (k1, c)
v11 <- PolicyPCR(1, mOS) // v11 = h (0 || PolicyPCR || 1 || mOS)
v12 <- PolicyPCR(2, mA)// v12 = h (v11 || PolicyPCR || 2 || mA)
v13 <- PolicyCommandCode(RSA_Decrypt)// v13 = h (v12 || PolicyCommandCode || RSA_Decrypt)
RSA_Decrypt(k1, c)
Command sequence
PCR 2: mA’
policySessionpolicyDigest
![Page 84: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/84.jpg)
92
Example 2
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA
k1 : private decryption keyRSA_Decrypt (k1, c)
v11 <- PolicyPCR(1, mOS) // v11 = h (0 || PolicyPCR || 1 || mOS)
v12 <- PolicyPCR(2, mA)// v12 = h (v11 || PolicyPCR || 2 || mA)
v22 <- PolicyOR({v12, v12’})// v22 = h (0 || PolicyOR || (v12 || v12’) )
v23 <- PolicyCommandCode(RSA_Decrypt)// v23 = h (v22 || PolicyCommandCode || RSA_Decrypt)
RSA_Decrypt(k1, c)
Command sequence
policySessionpolicyDigest
![Page 85: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/85.jpg)
93
Example 2
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA’
k1 : private decryption keyRSA_Decrypt (k1, c)
v11 <- PolicyPCR(1, mOS) // v11 = h (0 || PolicyPCR || 1 || mOS)
v12’ <- PolicyPCR(2, mA’)// v12’ = h (v11 || PolicyPCR || 2 || mA’)
v22 <- PolicyOR({v12, v12’})// v22 = h (0 || PolicyOR || (v12 || v12’) )
v23 <- PolicyCommandCode(RSA_Decrypt)//v23 = h (v22 || PolicyCommandCode || RSA_Decrypt)
RSA_Decrypt(k1, c)
Command sequence
policySessionpolicyDigest
![Page 86: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/86.jpg)
94
Example 2’
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA
k1 : private decryption keyRSA_Decrypt (k1, c)
PCR 2: mA’
PCR 2: ?
Allow any app by D
Command sequence
RSA_Decrypt(k1, c)
? (must be independent of PCR 2 value)
policySessionpolicyDigest
![Page 87: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/87.jpg)
95
Example 2’
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA
k1 : private decryption keyRSA_Decrypt (k1, c)
Command sequence
v11 <- PolicyPCR(1, mOS) // v11 = h (0 || PolicyPCR || 1 || mOS)
v12 <- PolicyPCR(2, mA)// v12 = h (v11 || PolicyPCR || 2 || mA)
v13 <- PolicyCommandCode(RSA_Decrypt)//v13 = h (v12 || PolicyCommandCode || RSA_Decrypt)
v24 <- PolicyAuthorize (signature)// where signature <- Sig_D(v13)// v24 = h (0 || PolicyAuthorize || PK_D)
RSA_Decrypt(k1, c)
PK_D/SK_D
Allow any app by D
policySessionpolicyDigest
![Page 88: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/88.jpg)
96
policySessionpolicyDigest
Example 2’
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA’’
k1 : private decryption keyRSA_Decrypt (k1, c)
Command sequence
v11 <- PolicyPCR(1, mOS) // v11 = h (0 || PolicyPCR || 1 || mOS)
v12’’ <- PolicyPCR(2, mA’’)// v12 = h (v11 || PolicyPCR || 2 || mA’’)
v13’’ <- PolicyCommandCode(RSA_Decrypt)//v13’’ = h (v12’’ || PolicyCommandCode || RSA_Decrypt)
v24 <- PolicyAuthorize (signature’’)// where signature’’ <- Sig_D(v13’’)// v24 = h (0 || PolicyAuthorize || PK_D)
RSA_Decrypt(k1, c)
PK_D/SK_D
Allow any app by D
![Page 89: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/89.jpg)
97
policySessionpolicyDigest
Example 2’
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA’’
k1 : private decryption keyRSA_Decrypt (k1, c)
Command sequence
v11 <- PolicyPCR(2, mA’’)// v11 = h (0 || PolicyPCR || 2 || mA)
v12 <- PolicyAuthorize (signature’’)// where signature’’ <- Sig_D(v11’’)// v12 = h (0 || PolicyAuthorize || PK_D)
v13 <- PolicyPCR(1, mOS) // v13 = h (v12 || PolicyPCR || 1 || mOS)
v14 <- PolicyCommandCode(RSA_Decrypt)//v14 = h (v14 || PolicyCommandCode || RSA_Decrypt)
RSA_Decrypt(k1, c)
PK_D/SK_D
But we don’t want to allow any OS or any policyCommand!
Skip to Secure Boot example
![Page 90: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/90.jpg)
More Examples
• Example 3
– D wants to license the use of k1 to any app of another developer D1
– D1’s app signing keypair PK_D1/SK_D1
• Example 4
– D wants to license use of k1 to any app of anydeveloper that he later authorizes!
Skip to Secure Boot example
![Page 91: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/91.jpg)
Example 3
• D wants to license the use of k1 to any app of another developer D1
– D1’s app signing keypair PK_D1/SK_D1
![Page 92: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/92.jpg)
100
policySessionpolicyDigest
Example 3
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA1
k1 : private decryption keyRSA_Decrypt (k1, c)
PK_D/SK_D
PK_D1/SK_D1
Command sequence
RSA_Decrypt(k1, c)
Allow any app by D or D1
? (must be independent of PCR 2 value; must allow either public key to policyAuthorize PCR 2 value)
![Page 93: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/93.jpg)
Example 4
• D wants to license use of k1 to any app of anydeveloper that he later authorizes!
![Page 94: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/94.jpg)
104
policySessionpolicyDigest
Example 4
TPM2
Object (e.g. key)
System
System
state info
Object invocation
(”policy command”)
Object authorization
Other
TPM objs
authPolicy
PCR 1: mOS
PCR 2: mA’
k1 : private decryption keyRSA_Decrypt (k1, c)
PK_D/SK_D
Command sequence
RSA_Decrypt(k1, c)
Allow any app certified by anydeveloper authorized by D
? (must be independent of PCR 2 value; independent of public key used to authorize PCR 2 value)
PK_D’/SK_D’
policyAuthorize
![Page 95: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/95.jpg)
Example policy: Simple Secure Boot
• Suppose PCR 2 has value mA when Platform A kernel loaded
• Sequence of commands to ensure secure boot– [PCRExtend(2, measurement value); Start new authorization session]– V1 <- PolicyPCR (2, mA)– V2 <- PolicyCommandCode (PCRExtend) PCRExtend(5, mA)
• authPolicy for PCR 5 is V2– V1 = h (0 || PolicyPCR || 2 || mA)– V2 = h (V1 || PolicyCommandCode || PCR_Extend)
Platform A kernel
measurement mA PCR 2
Continue boot only if Platform A kernel has been loaded
measurement mAPCR5
IFObject invocation for
authorization
Skip to Standards Summary
![Page 96: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/96.jpg)
106
Simple secure boot not always enough
Secure boot can have the following properties
A) Extend to start up of applications
B) Include platform-dependent policy
C) Include optional or complementary boot branches
D) Order in which components are booted may matter
Skip to Standards Summary
![Page 97: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/97.jpg)
107
1. Root-of-Trust-for-Measurement starts Boot Loader and boot process2. It loads the TEE and TPM (PCR 1)3. It loads the REE OS (PCR 2)4. We want to verify loading of the OS TEE driver (PCR 3)
Authorization policy conditional to correct execution of previous steps
Advanced Secure Boot example
Isolationboundary TEE
Trusted Operating System
OS
Application
REE
TEE Driver
Load driver?
Authorizing entity
TPM 2
Skip to Standards Summary
![Page 98: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/98.jpg)
108
Advanced Boot: example policy
Isolationboundary TEE
Trusted Operating System
OS
Application
REE
TEE Driver
TPM 2
PCR5: X | 00…00
• Policy applies to extending of PCR5 (authPolicy = X)• Create policy session with policyDigest = X
Initial valueauthPolicy
Skip to Standards Summary
![Page 99: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/99.jpg)
109
OS TEE driver will be measured and launched
Advanced Boot Policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
External signature
measurementPCR 2
measurementPCR 2
measurement PCR5
IF
Rollback protection...
AND
Assumptions
AND
Policy applies onlyto PCR update
Driver supplier can change policy later
TEE OS driver loaded
measurementPCR 3
AND
TEE succesfully loaded
measurementPCR 1
Skip to Standards Summary
![Page 100: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/100.jpg)
110
• authPolicy X = H(PK_A)*• driver supplier A can authorize any value Y as policy for PCR 5
* more precisely H(0 || PolicyAuthorize || PK_A || …)
PK_A
PolicyDigest
PolicyAuthorize
SK_A
X=H(PK_A)
Y
Y
Advanced Boot Policy
Y PolicyAuthorize(SigA(Y)) X
TEETPM2
PCR5 X 00000eventually compare..
Skip to Standards Summary
![Page 101: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/101.jpg)
111
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
measurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Y PolicyAuthorize(SigA (Y)) X
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
Skip to Standards Summary
![Page 102: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/102.jpg)
112
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
TEE successfully loaded
AND
Y PolicyAuthorize(SigA (Y)) X
make sure PCRExtend is used (not, e.g., PCRReset)
PolicyCommandCodeor
PolicyCPHash
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
Skip to Standards Summary
![Page 103: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/103.jpg)
113
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
![Page 104: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/104.jpg)
114
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
To bind a PCR value:
PolicyPCR (index(3), value(expected meas.))
![Page 105: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/105.jpg)
115
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
W PolicyPCR(3, meas.) Z
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
![Page 106: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/106.jpg)
116
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
W PolicyPCR(3, meas.) Z
We want to support two OS variants based on a PCR2 value:
PolicyOR ({V1, V2})
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
![Page 107: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/107.jpg)
117
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
PolicyOr({V1,V2}) W PolicyPCR(3, meas.) ZV1V2
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
![Page 108: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/108.jpg)
118
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
PolicyOr({V1,V2} W PolicyPCR(3, meas.) ZV1V2
Provider of OSB may do certified or authenticated boot. Thus:
Possibly more authorizations needed (e.g., PolicyNV)
or
OSB provider updates PCR2 with result of some PolicyAuthorize(SigB(...))
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
![Page 109: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/109.jpg)
119
Example policy
Platform A kernel
Platform B kernel
OR CTR5 > 2
AND
Ext.sign.
measurementPCR 2
MeasurementPCR 2
OS driver for TEE will be measured and launched
measurement PCR5
IF
Rollback protection ..
AND
Assumptions
AND
Policy applies onlyto PCR updates
Driver supplier can change policy later
AND
Z PolicyCommandCode(PCRExtend)Y PolicyAuthorize(SigA(Y)) X{Check: Eventual command == PCRExtend}
PolicyOr({V1,V2} W PolicyPCR(3, meas.) ZV1V2
PolicyPCR(3, H(...)) PolicyPCR(3, H(...))
TEE OS driver loaded
measurementPCR 3
TEE succesfully loaded
measurementPCR 1
![Page 110: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/110.jpg)
120
Assume PCR2 will have value mB if a kernel authorized by provider B (such as platform B kernel was booted, and PCR1 will have mN ifthe correct TEE dríver N was loaded
‹ V1 <- PolicyPCR (2, mB)
‹ W <- PolicyOR ({V1, V2})
‹ Z <- PolicyPCR (1, mN)
‹ Y <- PolicyCommandCode (PCRExtend)
‹ X <- PolicyAuthorize (sig), where sig = Sig_A (Y)
PCRExtend(5, measurement value)
authPolicy for PCR5 is X
Sequence of TPM commands (1/2)
![Page 111: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/111.jpg)
121
V1 = h (0 || PolicyPCR || 2 || mB)
W = h(0 || PolicyOR || (V1 || V2))
Z = h (W || PolicyPCR || 1 || mN)
Y = h (Z || PolicyCommandCode || PCR_Extend)
X = h (0 || PolicyAuthorize || PK_A)
Sequence of TPM commands (2/2)
![Page 112: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/112.jpg)
Standards summary
• Global Platform Mobile TEE specifications
– Sufficient foundation to build trusted apps for mobile devices
• TPM 2.0 library specification
– TEE interface for various devices
– Extended Authorization model is (too?) powerful and expressive
– Short tutorial on TPM 2.0: Citizen Electronic Identities using TPM 2.0
• Mobile deployments can combine UEFI, NIST, GP and TCG standards
• Developers do not yet have full access to TEE functionality http://open-tee.github.io
![Page 113: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/113.jpg)
A LOOK AHEADChallenges ahead and summary
![Page 114: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/114.jpg)
124
Open issues and research directions
1. Novel mobile TEE architectures
2. Issues of more open deployment
3. Trustworthy TEE user interaction
4. Hardware security and user privacy
Skip to Summary
![Page 115: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/115.jpg)
125
Novel mobile TEE architectures
• Ring-3 Enclaves?
• Multiple cores?
• Low-cost alternatives?
![Page 116: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/116.jpg)
Intel Software Guard Extensions
• SGX provides hardware-supported TEE functionality in ring-3
• Enclave code and data are encrypted by hardware
• Supports attestation and sealing
OS/Hypervisor
App1 App2
Hardware
Enclave1 Enclave2
Hardware support for enclaves
App-specific TEEs
![Page 117: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/117.jpg)
128
Low-cost mobile TEE architectures
TrustLite– Execution aware memory protection
– Modified CPU exception engine for interrupt handling
– Koeberl et al. TrustLite: A Security Architecture for Tiny Embedded Devices. EuroSys’14.
SMART– Attestation and isolated execution at minimal hardware cost
– Custom access control enforcement on memory bus
– Defrawy et al. SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust. NDSS’12.
• How to support standard interfaces on new TEE architectures?– “On Making Emerging Trusted Execution Environments Accessible to
Developers”: http://arxiv.org/abs/1506.07739
![Page 118: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/118.jpg)
Issues of open deployment
• Certification and liability issues?– Especially application domains like payments
• Credential lifecycle management– Device migration becomes more challenging in open model
– Hybrid approach: open provisioning and centralized assisting entity
– Kostiainen et al. Towards User-Friendly Credential Transfer on Open Credential Platforms. ACNS’11.
User device
Service provider Service provider
Trusted authority
![Page 119: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/119.jpg)
130
Trustworthy user interaction
• Trustworthy user interaction needed
– Provisioning
– User authentication
– Transaction confirmation
• Technical implementation possible
• But how does the user know?
– Am I interacting with REE or TEE?TEE entry
App
Mobile OS
REE
App
Trusted OS
Trusted app
Trusted app
TEE
Smartphone hardware
![Page 120: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/120.jpg)
133
Hardware security and user privacy?
• Secure boot can be used to limit user choice
– Common issue of mechanism vs. policy
• Allows new opportunities for attackers
– Vulnerabilities in TEE implementation → rootkits
– Thomas Roth. Next Generation rootkits. Hack in Paris 2013.
![Page 121: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/121.jpg)
134
Summary
• Hardware-based TEEs are widely deployed on mobile devices– But access to application developers has been limited
• TEE functionality and interfaces are being standardized– Might help developer access
– Global Platform TEE architecture
– TPM 2.0 Extended Authorization and Mobile Architecture
• Open research problems remain
![Page 122: Trusted Execution Environments · On-board Credentials First part Second part NIST. MOBILE HARDWARE SECURITY What constitutes a TEE? 10 1. Platform integrity 2. Secure storage 3.](https://reader035.fdocuments.in/reader035/viewer/2022063014/5fce7889ae028a630427fbd9/html5/thumbnails/122.jpg)
Further reading
• Mobile Trusted Computing. Proceedings of the IEEE 102(8): 1189-1206 (2014)
• The Untapped Potential of Trusted Execution Environments on Mobile Devices. IEEE Security & Privacy Magazine 12(4):29-37 (2014)
• Citizen Electronic Identities using TPM 2.0, ACM CCS TrustEDworkshop (2014)
Slides of this lecture: http://asokan.org/asokan/Bilbao2015
Contact info: http://asokan.org/asokan/